2014-01 January

General

Phabricator now requires the daemons to be running in order to send mail or perform search indexing. Primarily, this should simplify configuration. It allowed us to delete a lot of fallback code which attempted to perform these tasks slowly and poorly if the daemons were not running.

Sessions have been reworked, but should not impact users much. There is now a Settings > Sessions panel which allows you to view sessions. Among other things, this simplified configuration.

Search indexing now happens in the daemons.

Added Mailgun support.

Logged-out users can now view the homepage, on installs which allow public access.

Added a blacklist for common passwords. This mitigates attacks where a botnet is used to try logging in to many accounts very slowly using common passwords. For discussion of how this attack impacted GitHub, see "Weak GitHub passwords lead to account security breach" (The Verge). (We are not aware of any attacks of this nature against Phabricator in the wild.)

We slightly changed the behavior of the next cookie which controls where you are redirected after you login. Previously, we would not set this cookie on 404 pages, which would allow an attacker to determine if a URI was routable by checking for the cookie in the response. We now are more selective about when we overwrite the cookie, and no longer leak URI routability information to logged-out users. We are not aware of anything useful that attackers could have done with this information.

We now issue anonymous sessions to logged out users and enforce CSRF against logged-out actions. Particularly, this prevents an attacker from logging a victim into an account the attacker controls after tricking them into visiting a malicious page. This attack was not directly useful, but could have been a component in a more sophisticated chain of compromise. This issue was reported to us via HackerOne, and we awarded a $300 bounty for it.

The welcome / password reset workflow is now more strict to prevent similar attacks, where an attacker could have tricked a victim into logging in with an account the attacker controls. This issue was reported to us via HackerOne, and we awarded a $300 bounty for it.

We received 9 other reports via HackerOne in this period that we do not believe represent security vulnerabilities:

(2 reports) Password autocomplete is enabled. This is intentional.

(1 report) Sessions do not expire quickly, and users can log in from multiple browsers. This is intentional, as many users rely on these behaviors in their daily work.

(1 report) XSS requiring interaction with browser debugging tools. We could not reproduce this and do not believe it is an issue with Phabricator.

(1 report) Permissioning on Files is not always as clear as it could be. We have plans to improve this, but this is mostly a product issue.

(1 report) We use the RC4 cipher on secure.phabricator.com. This is intentional, common, and not covered by the award program. We may choose a different cipher suite when the certificate expires in a few months.

(1 report) We include Javascript directly from CDNs on phabricator.org. This is intentional, common, and not covered by the award program. The site also does not have any cookies or authenticated content.

(1 report) User typed short missive (in French) decrying Facebook into the form. We do not believe this constitutes a security vulnerability in Phabricator.